Update, June 24, 2026: Microsoft, Europol, ESET, and other partners disrupted infrastructure used by StealC and Amadey as part of Operation Endgame. The update does not mean every infected computer is clean. It means many command-and-control servers and domains were taken down, while anyone who ran a StealC payload should still treat browser passwords, session cookies, crypto wallets, and saved logins as exposed.
StealC is an infostealer sold as malware-as-a-service. It steals data from browsers, extensions, cryptocurrency wallets, messaging apps, email clients, and other desktop software. Amadey is commonly used as a loader: it gives attackers an initial foothold and can deliver stealers or other payloads. Together they form the kind of commodity malware chain that turns one infected Windows device into stolen credentials, sold access, and follow-on fraud.
What Changed in the June 24 Operation Endgame Disruption?
Microsoft said its Digital Crimes Unit worked with Europol and partners to take down, suspend, block, or notify providers about more than 200 malicious Amadey and StealC command-and-control domains and IP addresses. Europol said the wider action disrupted 326 servers and 142 domains, recovered about 27 million stolen login credentials, and restricted criminal crypto assets worth more than $47 million.
ESET, which assisted the operation, said the action affected roughly 50 domains and nearly 200 active IP-based C&C servers associated with Amadey and Stealc. Microsoft also reported that the two malware families were linked to more than 140,000 infected computers globally during the first two weeks of May 2026 alone.
| Fact | Why it matters |
|---|---|
| StealC steals browser, wallet, app, and session data. | Password changes from the same infected device are not enough; stolen cookies and tokens may remain valid until sessions are revoked. |
| Amadey can act as a loader for StealC and other malware. | A visible stealer detection may not be the only payload. Check persistence, startup entries, scheduled tasks, and follow-on malware. |
| Operation Endgame disrupted infrastructure, not every endpoint. | A takedown can break attacker control, but local cleanup and account recovery are still user-side tasks. |

How StealC Spread Before the Disruption
Sekoia first described Stealc in 2023 as a copycat-style infostealer influenced by Vidar, Raccoon, Mars, and RedLine. Its operators advertised it on forums and Telegram as a configurable stealer with an admin panel, and early samples targeted browsers, browser extensions, desktop wallets, and selected file types.

The original distribution paths included fake cracked-software and download lures. That pattern still matters: StealC and similar stealers often reach users through fake installers, malicious ads, video tutorials, archive files, fake updates, and social-engineering chains. Recent campaigns involving stealers have also used ClickFix-style prompts, malicious scripts, and loader services before the final payload appears.

What to Do if StealC or Amadey May Have Run on Your PC
- Disconnect the device from sensitive accounts first. Do not log in to email, banking, crypto, work, or password-manager accounts from the suspected machine until it is cleaned.
- Remove the malware and check for persistence. Look for unknown startup entries, scheduled tasks, recently dropped files in Downloads/AppData/Temp, browser changes, and security-tool alerts that return after reboot.
- Clean before changing passwords. Change passwords from a separate trusted device. If you reset passwords from the infected PC, a stealer or loader may capture the new credentials too.
- Revoke sessions, not just passwords. Sign out of all sessions, revoke OAuth/connected apps, rotate API keys, reset crypto-wallet seed exposure assumptions, and check email forwarding rules.
- Watch for follow-on fraud. Stolen logs can fuel account takeover, payment fraud, fake support contacts, and ransomware access even after part of the malware network is disrupted.
If a suspicious installer, cracked app, fake update, or script already ran, a normal delete-and-reboot is not enough. Security tools may remove the visible payload while a loader, scheduled task, service, browser change, or another bundled component remains and restores access later. Run a full Gridinsoft Anti-Malware scan, remove detections, reboot, and scan again if alerts or browser/session symptoms return.
If a token stealer ran here, logging back in can hand the attacker your new Discord session, email cookie, Steam token, or wallet access. Scan this Windows PC first, then reset passwords from a clean device.
Scan this PC for stealer leftoversRelated Gridinsoft Guides
- Password Stealer Malware: Recovery After Browser Cookies and Saved Logins Leak
- Top Infostealer Malware in 2026: Stealer Logs, Families, and What to Do
- CryptoBandits.A USB Clipper: wallet and removable-drive safety checks
- SocGholish Malware: fake update cleanup and session-risk checks
FAQ
Does the Operation Endgame disruption mean StealC is gone?
No. It disrupted a large part of the infrastructure used by StealC and Amadey, but malware operators can rebuild, switch servers, or use already stolen data. Treat it as good news, not as proof that affected devices are safe.
Should I change passwords if StealC was detected?
Yes, but change them from a clean device after the infected computer is isolated and scanned. Also revoke sessions and connected apps, because infostealers can steal cookies and tokens that survive a password change.
Is Amadey the same malware as StealC?
No. Amadey is primarily a loader/bot that can deliver additional malware. StealC is the infostealer that collects credentials, wallet data, browser information, and other sensitive files. They are dangerous together because the loader can install the stealer and other payloads.
References
- Sekoia.io. “Stealc: a copycat of Vidar and Raccoon infostealers gaining in popularity.” Sekoia Threat Research, February 2023, accessed June 24, 2026. https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/
- Microsoft Security. “StealC and Amadey: Breaking down infostealers and the cybercrime services that deliver them.” Microsoft Security Blog, June 24, 2026, accessed June 24, 2026. https://www.microsoft.com/en-us/security/blog/2026/06/24/stealc-and-amadey-breaking-down-infostealers-and-the-cybercrime-services-that-deliver-them/
- Europol. “Global cyber strike disrupts SocGholish, Amadey and StealC malware networks.” Europol Newsroom, June 24, 2026, accessed June 24, 2026. https://www.europol.europa.eu/media-press/newsroom/news/global-cyber-strike-disrupts-socgholish-amadey-and-stealc-malware-networks
- ESET Research. “ESET takes part in Operation Endgame to disrupt Amadey and Stealc.” WeLiveSecurity, June 24, 2026, accessed June 24, 2026. https://www.welivesecurity.com/en/eset-research/eset-takes-part-operation-endgame-disrupt-amadey-stealc/

